Olafur Gudmundsson <[email protected]> wrote:
>> Or, "does any gTLD registrar support algs 13-14??" Or, "won't anyone
>> validate my zone??"
>>
>> So, currently, I use Dyn for some gTLD domains that I have that are
>> all DNSSEC-signed. Recently, I decided to start signing some of them
>> with ECDSAP384SHA348. Now I'll just update the DS records and...oh,
>> no algorithm 14 is supported in the drop-down menu for Dyn. Neither
>> are 12 or 13 for that matter. Okay, time to fire off a note to Dyn
>> tech support and here's the gem of the reply:
>>
> Hi Michael, on the second question almost every current release of all
> resolvers supports ECDSA verification the exceptions are that some OS
> distributions strip ECC from openssl and other crypto libraries as a
> precaution against patient lawsuits. Google Public DNS added support
> little bit over a week ago.
It's not a question of: "can we do this", but rather a question of:
if we do it,
then it needs to be done correctly,
which means some test cases and test data, and this takes a non-zero
amount of time.
Could the effort be better spent elsewhere?
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
