On 4/27/21 22:56, Arne Jensen wrote:
In the end, I would simply set up everything with 14 4, a.k.a.
ECDSAP384SHA384, unless any customers/clients could provide valid
justification (including evidence) why it "cannot" be used, such as
e.g. a TLD not supporting it, could be valid justification to make an
exception for that particular TLD. But in order to make that
exception, there would need to be evidence (from the customer/client)
documenting the claim, so they cannot just go with "I don't like this
algorithm", or other useless crap to go down to for example SHA1.
It would likewise be mandatory, if I had anything to say, for public
sector/government and financial institutions (banks, card issuers, and
so on), to run DNSSEC and to always secure that they had the strongest
possible algorithms on it.
NB: The reason I'm writing 14 4, a.k.a. ECDSAP384SHA384 all along is
that I've seen DNSSEC signatures with 14 2 (ECDSAP384SHA256), which I
would find quite weird.
I've been happy with ECDSAP384SHA384 for a few months now. No issues to
report. All works. My registrar supports it. End of.
The only other thing I can say to the OP is the whether the registrar
supports the uploading of DS records, or derives the DS record from the
DNSKEY you submit to them. From another list discussion a while back,
the world appears to be split 50/50 on this.
Mark.
