Wonderful to hear Google PDNS supporting ECC validation!!! Thank you Google.
-----Original Message----- From: dnssec-deployment-boun...@dnssec-deployment.org [mailto:dnssec-deployment-boun...@dnssec-deployment.org] On Behalf Of Olafur Gudmundsson Sent: Tuesday, December 23, 2014 7:40 AM To: Michael Sinatra Cc: DNSSEC deployment Subject: Re: [Dnssec-deployment] oh no! It's that registrar question again > On Dec 18, 2014, at 8:04 PM, Michael Sinatra <mich...@brokendns.net> wrote: > > Or, "does any gTLD registrar support algs 13-14??" > Or, "won't anyone validate my zone??" > > So, currently, I use Dyn for some gTLD domains that I have that are > all DNSSEC-signed. Recently, I decided to start signing some of them > with ECDSAP384SHA348. Now I'll just update the DS records and...oh, > no algorithm 14 is supported in the drop-down menu for Dyn. Neither > are 12 or 13 for that matter. Okay, time to fire off a note to Dyn > tech support and here's the gem of the reply: > Hi Michael, on the second question almost every current release of all resolvers supports ECDSA verification the exceptions are that some OS distributions strip ECC from openssl and other crypto libraries as a precaution against patient lawsuits. Google Public DNS added support little bit over a week ago. I have a support request into GoDaddy to add support for ECDSA algorithm 13 and 14, they will add support soon (as of right now not supported). Everyone on this mailing list should check if their registrar supports ECDSA (and GOST) and complain if not supported. > >> Hello, >> >> Thank you for contacting Dyn Technical Support, >> >> Unfortunately, this maybe something implemented in the future but >> current we only support what you find on that interface. >> >> If you have any other questions or concerns please contact us again >> at any time. >> >> Thank you and take care, > > Leaving aside the unfortunate trend regarding the increasing inability > of tech support people to construct grammatically-correct sentences, I > am kind of surprised and disappointed about this. So I took a quick > look at godaddy, and see that they support alg 12 but not 13 and 14. > > Then I tried ISC DLV and kept getting errors when trying to paste a > alg > 14 DNSKEY record and it said that the format was wrong. When I > instead pasted in the DS record for said key, a big red error message > came up (but it didn't say anything specific like "algorithm not supported"). > I'll try to figure out what that means. > ISC DLV must die !!!! > It looks like we're starting to get the implementation issues and > kinks worked out with signing software when it comes to using these > new algorithms, but it seems that the registrars haven't caught up > (and I am not sure how many of them want to get caught up). I > understand market forces in the registrar business, but I am wondering > if this market isn't suffering from a "race to the bottom" dynamic. I > am hoping someone can prove me wrong and suggest a registrar that > keeps up with DNSSEC evolution, along with other security best practices. Any takers? > > michael Registrars worry mostly about loosing customers thus if they get a reason do something to keep customers then hopefully they will do it. I now work at Cloudflare and we will sign over 1M domains next year using ECDSA feel free to use that as argument to your registrars. Olafur
smime.p7s
Description: S/MIME cryptographic signature
